JP4769147B2 - Batch proof verification method, proof device, verification device, batch proof verification system and program - Google Patents

Description

  The present invention relates to zero knowledge proof technology in the field of information security technology.

  Zero-knowledge proof convinces the verifier that the prover knows the secret information (or proposition, etc.) without leaking any secret information (knowledge) between the prover and the verifier ( Proof).

  As an application of the zero-knowledge proof technique, batch proof that can reduce the calculation cost and communication cost is known rather than handling the zero-knowledge proof of multiple problems individually. For example, batch proof (Batch Proof) (for example, see Non-Patent Document 1) and batch verification (for example, non-patent document 1) that can be expected to reduce the calculation cost rather than individually handling verification of zero knowledge proofs of multiple problems. Patent Document 2) is widely known.

  In the following, each technique related to the zero-knowledge proof technique is outlined by taking knowledge proof as an example.

  First, in the proof of knowledge, for an element P and element Q = wP of a finite group G of some order q (w is an integer of 0 or more and less than q), the prover knows that w is known. Prove it.

  Under this assumption, the following operation verification 1 is performed.

[Proof verification 1]
First, the prover randomly selects an integer r greater than or equal to 0 and less than q, calculates X = rP, and sends X to the verifier (first stage).

Subsequently, the verifier randomly selects an integer c between 1 and 2 ^t and sends it to the prover. Here, t is a certain security parameter (second stage).

  Subsequently, the prover calculates s = (r−cw) mod q and sends it to the verifier (third stage).

  Then, the verifier confirms whether X = sP + cQ is satisfied, and if it is satisfied, determines that the prover knows w (step 4).

Next, batch certification will be described. When proof of knowledge is performed by batch proof, for an element P, P _i = w _i P of a finite group G of a certain order q (i = 1,..., N, w _i is 0 or more and less than q) Integer), the prover proves to the verifier by the following procedure of batch proof verification 2 that w _i (i = 1,..., N) is known.

[Batch proof verification 2]
Batch certification verification 2 is as follows.

  First, the prover randomly selects an integer r greater than or equal to 0 and less than q, calculates X = rP, and sends X to the verifier (first stage).

Subsequently, the verifier randomly selects an integer e of 1 to 2 ^t and sends it to the prover (second stage). Here, t is a certain security parameter.

Subsequently, the prover is to calculate the _{s = (r-Σ i w} i e i) mod q and sends it to the verifier (third stage).

Then, the _{verifier, X = sP + Σ i e} i P i is whether to confirm holds, if the true prover is determined to know the w _i (fourth stage).

  When the proof of knowledge is simply repeated n times by the above procedure, the prover needs to perform the scalar multiplication on G n times and the verifier 2n times. In the case of batch proof, Once, the verifier needs n + 1 times.

  Next, as a preparation for explaining batch verification, a method of performing knowledge proof in a non-interactive manner will be described.

[Proof Verification 3]
First, the prover performs the following procedure (first stage).

  As procedure 1, an integer r of 0 or more and less than q is selected at random, and X = rP is calculated.

As procedure 2, c = H (P‖Q‖X) is calculated. Here, H is a one-way hash function that outputs an integer of 1 to 2 ^{t with} respect to an arbitrary input.

  As procedure 3, s = (r−cw) mod q is calculated and (X, s) is disclosed.

  Then, the verifier uses the public information (G, q, P, Q, X, s) to calculate c ′ = H (P‖Q） X), and confirms that X = sP + c′Q holds. If true, it is determined that the prover knows w (second stage).

  Based on the above proof of non-interactive knowledge, batch verification is described below.

For the verifier Q _i , R _i = w _i Q _i of a finite group G of order q (where i = 1,..., N, w _i is an integer greater than or equal to 0 and less than q), n The following batch verification 4 is performed on the premise that verification (X _i , s _i ) (i = 1,..., N) of non-dialogue knowledge of a set is verified.

[Batch verification 4]
First, c ′ _i = H (Q _i ‖R _i ‖X _i ) is calculated (first stage).

Then, n integers e _i of 1 to 2 ^t are selected at random (where t is a security parameter), and Σ _i e _i (s _i Q _i + c ′ _i R _i −X _i ) = 0 holds. If it holds, it is determined that the prover knows w _i for all (Q _i , R _i , X _i , s _i ) (second stage).

  Thus, when the proof of knowledge is simply repeated n times, the verifier needs to calculate n verification expressions, but in the case of batch verification, only one verification expression is required. Several methods are known that can reduce costs.

  Further, the following methods are known as proof and verification methods for non-interactive knowledge.

[Proof Verification 5]
First, the prover performs the following procedure (first stage).

  Procedure 1 randomly selects an integer r greater than or equal to 0 and less than q, and calculates X = rP.

  Procedure 2 calculates c = H (P‖Q‖X).

  Procedure 3 calculates s = (r−cw) mod q and discloses (c, s).

  Then, the verifier calculates X ′ = sP + cQ using the public information (G, q, P, Q, c, s), and confirms that c = H (P‖Q‖X ′) holds. In this case, it is determined that the prover knows w (second stage).

  Thereby, when the data length of c is shorter than the data length of X, the communication data length can be reduced.

As a related technique, a method (for example, Non-Patent Document 3) that batch-processes zero knowledge proofs in a non-interactive manner is also known.
R. Gennaro, D.M. Leigh, R.A. Sundaram, and W.M. Yerazanis, “Batching Schnorr Identification Scheme with Applications to Privacy-Preserving Authentication Devices and Low-Bandwidth Communication Devices”, ASIA CRYPT. 276-292. D. M'Raihi and D.M. Naccache, “Batch explosion-A fast DLP based signature generation strategy”, 3rd ACM CCS, ACM, 1996, PP. 58-61. B. Schonmarkers and P.M. Tuyls, “Practical two-particulation based on the conditional gate”, Advances in Cryptography—ASIA CRYPT 2004, LNCS 3329, Springer-Verlag, 2004. 119-136.

The proof of the n sets of knowledge that is the input of the batch verification 4 is i = 1,. . . , Different Q _i for n, simply can not be applied to batch certification verification 2 of the techniques described above.

  Further, due to the nature of the proof verification 5 described above, the technique of the batch verification 4 cannot be simply applied to the proof verification 5.

That is, for an element P _i and element X _i = s _i P _i of a finite group G of order q (i = 1,..., N; s _i is an integer of 0 to less than q), a prover In the case of the conventional method in which the method shown in the above proof verification 5 is simply repeated n times when the knowledge of s _i is proved to the verifier, the prover obtains n pieces of information X necessary for the proof, It was necessary to send 2n integers to the verifier.

  Therefore, as in the input of the batch verification 4 described above, in the zero knowledge proof using a plurality of different bases, a method for reducing the calculation cost and the communication cost is required rather than simply repeating the zero knowledge proof n times.

  The present invention has been made based on the above-described problem, and provides a batch proof verification method, a proof device, a verification device, and a batch proof that perform efficient batch processing for zero knowledge proof using a plurality of different bases. To provide a verification system and a program.

In order to solve the above-mentioned problem, the invention according to claim 1 is characterized in that the proving device has an input unit for inputting initial information, a transmission unit, a reception unit, a random number generation unit for generating random numbers, a group addition operation unit, a scalar multiplication. It has an arithmetic unit and four arithmetic units, and the verification device has an input unit, an output unit, a transmission unit, a reception unit, a random number generation unit, a group addition operation unit, a scalar multiplication operation unit, and a comparison unit, which are connected to each other via a communication line. In the batch proof verification method using the proof device and the verification device, an input unit of the proof device includes a certain finite group G, a certain integer n of 2 or more, n elements P _i of the G, an integer s The input unit of the verification device inputs the element X _i that is the sP _i of the finite group G, the integer n, the element P _i and the n finite groups G; random number generation unit are n integers _{e i (i = 1, ...} , n) to generate, the verification Receiving a step of transmitting portion of the location to send the integer e _i to the certification device, receiving section of the proving device is the integer e _i, the random number generator of the proving device generates an integer r, the prover a step of the group adder and scalar multiplication calculation unit obtains the Y calculates the _{Y = Σ i re i P i} , the transmission unit of the verification device the Y sends to the verification apparatus, the reception of the verification device A unit receives Y, the random number generation unit of the verification device generates an integer c, and the transmission unit of the verification device transmits the integer c to the verification device; and the reception unit of the verification device receives the integer c, the four arithmetic operation units of the proving device calculate z = r-cs to obtain z, and the transmitting unit of the proving device transmits the z to the verification device; and the receiving unit of the verification device Receives z, and the group addition operation unit and scalar multiplication operation of the verification device Part is, Y obtains a _{'= Σ i e i (zP} i + cX i) was calculated Y', obtains the determination result comparison unit whether the Y 'is equal to calculated Y was the reception of the verification device And outputting the determination result from the output unit of the verification device.

The invention described in claim 2 includes an input unit for inputting initial information, a transmission unit, a reception unit, a random number generation unit for generating random numbers, a group addition operation unit, a scalar multiplication operation unit, and an arithmetic operation unit, and an input proof Is a proof device for proving knowledge of s with respect to an element X _i that is information necessary for the above, and at the input unit, a certain finite group G, an integer n greater than or equal to 2, n elements P _i of the G, an integer The means for inputting s and the receiving unit receive the integer e _i , cause the random number generation unit to generate an integer r, and the group addition operation unit and scalar multiplication operation unit to set Y = Σ _i re _i P _i Y is calculated and the transmission unit transmits the Y, and the reception unit receives the integer c. The four arithmetic operation units calculate z = r−cs to obtain z, and the transmission unit means for transmitting z.

The invention described in claim 3 includes an input unit for inputting initial information, a transmission unit, a reception unit, a random number generation unit for generating random numbers, a group addition operation unit, a scalar multiplication operation unit, and an arithmetic operation unit. Means for inputting a certain finite group G, a certain integer n of 2 or more, n elements P _i of G, an integer s less than the integer G, and receiving the integer e _i from the receiving unit. An integer r is generated, Y = Σ _i re _{i Pi} is calculated by the group addition operation unit and the scalar multiplication operation unit, Y is obtained, the transmission unit transmits the Y, and the reception unit transmits the integer means for receiving z, calculating z = r−cs in the four arithmetic operation units, obtaining z, and transmitting the z in the transmission unit, and an element X _i that is information necessary for the input proof the finite group G used in the certification apparatus to prove the knowledge of s with respect to the integer n, the original P _i and n number of the finite group G sP _i Input unit, an output unit for inputting the certain original X _i, transmitting unit, receiving unit, the random number generation unit, the group addition operation unit, the scalar multiplication unit, a verification device comprising a comparing unit, a random number generation unit of the verification device Generating n integers e _i (i = 1,..., N), and transmitting the integer e _i in the transmitting unit of the verification device; and receiving Y in the receiving unit of the verification device; Means for generating an integer c in the random number generation unit of the verification device, transmitting the integer c in the transmission unit of the verification device, receiving z from the reception unit of the verification device, and group addition operation unit of the verification device and a scalar multiplication unit, Y obtains a _{'= Σ i e i (zP} i + cX i) was calculated Y', whether the Y calculated as Y said received comparison of the verification device 'equals Means for obtaining a determination result and outputting the determination result from the output unit of the verification device. .

The invention according to claim 4 includes an input unit, an output unit, a random number generation unit, a group addition operation unit, a scalar multiplication operation unit, a hash function operation unit, and an arithmetic operation unit, and is an element necessary for proof input. A proof device for proving knowledge of s with respect to X _i , from an input unit, from a certain finite group G, an integer n of 2 or more, and n elements P _i (i = 1, 2,...) Of G. N), an integer s, an element X _i that is an sP _i of a finite group G, a means for causing the random number generation unit to generate a random number r, and a hash function calculation unit including P ₁ ,. , type P _n, a means for generating an integer e _i, based on the random number r and an integer e _i, computes the Y = Σ _i e _i rP _i in said group adder and scalar multiplication unit , Y is obtained, and based on the obtained Y, Y is input to the hash function calculation unit to generate a numerical value c. Means for calculating z = r−cs by the four arithmetic operation units, obtaining z, and means for outputting the numerical values c and z by the output unit.

The invention according to claim 5 includes an input unit, an output unit, a random number generation unit, a group addition operation unit, a scalar multiplication operation unit, a hash function operation unit, and an arithmetic operation unit, and the input unit is a finite group G. Means for inputting an integer n of 2 or more, n elements P _i of G (i = 1, 2,..., N), an integer s, and an element X _i of sP _i of a finite group G; Means for generating a random number r in the random number generation unit, means for generating an integer e _i by inputting P ₁ ,..., P _n to the hash function calculation unit, and the random number r and the integer e _i based on the Y = Σ _i e _i rP _i in said group adder and scalar multiplication unit calculates, means for determining Y, based on the obtained Y, the hash function operation unit, type Y Then, means for generating a numerical value c, means for calculating z = r−cs by the four arithmetic operation units, obtaining z, and the output unit Serial numerical c, comprises a means for outputting a z, a, the finite group G used in the certification apparatus to prove the knowledge of s with respect to the original X _i which is necessary information to the input proven integer n, the original P _i, c which is output using the original X _i and their values are sP _i of the finite group G, an input unit for inputting the z, output unit, the group addition operation unit, the scalar multiplication unit, a hash function operation unit, comparison , _Pn for verifying the knowledge of s with respect to the element X _i that is information necessary for the input proof, and P ₁ ,... type, integers e 'and means for generating a _i, said at group adder of the verification device and the scalar multiplication unit, Y''calculates the _{i (zP i + cX i)} , Y' = Σ i e the Means for obtaining, and means for calculating the numerical value c ′ by inputting the obtained Y ′ to the hash function calculation unit of the verification device; It means for determining whether the c and c 'are equal in the determination of the verification device, and means for outputting the judgment result at the output of the verification device,
It is characterized by providing.

The invention described in claim 6 includes a proof device comprising an input unit for inputting initial information, a transmission unit, a reception unit, a random number generation unit for generating random numbers, a group addition operation unit, a scalar multiplication operation unit, and an arithmetic operation unit, The verification device includes an input unit, an output unit, a transmission unit, a reception unit, a random number generation unit, a group addition operation unit, a scalar multiplication operation unit, and a comparison unit, and the verification device and the verification device connected to each other via a communication line. A batch proof verification method to be used, wherein the input unit of the proof device inputs a certain finite group G, a certain integer n of 2 or more, n elements P _i of G, and n integers s _i ; The input unit of the verification device inputs the element X _i which is the G, n, P _i and n G s _i Pis _; and the random number generation unit of the verification device has n integers e _i (i = 1,..., n) is generated, and the transmitting unit of the verification device transmits an integer e _i to the proving device. A step, receiving portion of the proving device receives the integer e _i, the random number generation unit of the proving device generates a n integers r _i, computes the _{Y = Σ i r i e i} P i, prover Transmitting the Y to the verification device, the reception unit of the verification device receives Y, the random number generation unit of the verification device generates an integer c, and the transmission unit of the verification device proves the integer c The step of transmitting to the device, the receiving unit of the proving device receives the random number c, the four arithmetic operation units of the proving device calculate z _i = r _i -cs _i, and the transmitting unit of the proving device verifies z _i And the receiving unit of the verification device receives z _i, and the group addition operation unit and the scalar multiplication operation unit of the verification device calculate Y ′ = Σ _i e _i (z _i P _i + cX _i ). The comparison unit of the verification device determines whether or not the received Y and the calculated Y ′ are equal to each other. And butterflies.

The invention described in claim 7 includes an input unit for inputting initial information, a transmission unit, a reception unit, a random number generation unit for generating random numbers, a group addition operation unit, a scalar multiplication operation unit, and an arithmetic operation unit, and an input proof Is a proof device for proving the knowledge of s with respect to an element X _i that is necessary information for the element X _{i at the} input unit, a certain finite group G, an integer n greater than or equal to 2, and n elements P _i of the G, n Means for inputting the integers s _i , the reception unit receives the integer e _i , causes the random number generation unit to generate n integers r _i , and the group addition calculation unit and the scalar multiplication calculation unit Y = calculate the _{Σ i r i e i P i} , and means for transmitting the Y in the transmitting unit, receives a random number c by the reception unit, calculates the z _i = r _i -cs _i in the arithmetic unit, Means for transmitting z _i by the transmitter.

The invention described in claim 8 includes an input unit for inputting initial information, a transmission unit, a reception unit, a random number generation unit for generating random numbers, a group addition operation unit, a scalar multiplication operation unit, and an arithmetic operation unit. Means for inputting a certain finite group G, an integer n of 2 or more, n elements P _i of G, and n integers s _i , and receiving the integer e _i by the receiver, means for generating n integers r _i , Y = Σ _i r _i e _i P _i is calculated by the group addition operation unit and the scalar multiplication operation unit, Y is transmitted by the transmission unit, and a random number is generated by the reception unit means for receiving c, calculating z _i = r _i -cs _i in the four arithmetic operation units, and transmitting z _i in the transmission unit, and for the element X _i that is the information necessary for the input proof finite group G used in the certification apparatus to prove the knowledge of s, there are two or more integer n, s _i P _i of n elements P _i and n number of the finite group G of the G Input unit, an output unit for inputting the certain original X _i, transmitting unit, receiving unit, the random number generation unit, the group addition operation unit, the scalar multiplication unit, a verification device comprising a comparing unit, a random number generation unit of the verification device Generating n integers e _i (i = 1,..., N), the transmitting unit of the verification device transmitting the integer e _i, and the receiving unit of the verification device receiving Y, Causing the random number generation unit of the verification device to generate an integer c, and transmitting the integer c by the transmission unit of the verification device; receiving z _i by the reception unit of the verification device; and a group addition operation unit of the verification device; and Y means for determining whether _{'= Σ i e i (z} i P i + cX i) is calculated and the received Y and calculated Y' are equal in the comparison of the verification device in the scalar multiplication unit, It is characterized by having.

The invention described in claim 9 includes an input unit, an output unit, a random number generation unit, a group addition operation unit, a scalar multiplication operation unit, a hash function operation unit, and an arithmetic operation unit, and is an element necessary for input proof. A proof device for proving knowledge of s with respect to X _i , wherein at the input unit, a certain finite group G, an integer n of 2 or more, and n elements P _i (i = 1, 2,...) Of G. ., n), n integers s _i, means for inputting the original X _i, which is the s _i P _i of G, and means for generating n random number r _i in the random number generation unit, the hash function operation in part, P _1, · · ·, type a P _n, a means for generating an integer e _i, in the group addition operation unit and the scalar multiplication unit calculates the _{Y = Σ i e i r i} P i and means, in the hash function operation unit, and means for generating a numerical value c to input Y, in the arithmetic unit, calculates the z _i = r _i -cs _i Means _{that, (c, z 1, ...} , z n) in the output section and having a means for outputting, a.

The invention described in claim 10 includes an input unit, an output unit, a random number generation unit, a group addition operation unit, a scalar multiplication operation unit, a hash function operation unit, and an arithmetic operation unit, and the input unit is a finite group G. Input an integer n of 2 or more, n elements P _i of G (i = 1, 2,..., N), n integers s _i and elements X _i of G s _i P _i. Means for generating n random numbers r _i in the random number generation unit; and means for generating integer e _i by inputting P ₁ ,..., P _n to the hash function calculation unit; in the group adder and scalar multiplication unit, means for calculating a _{Y = Σ i e i r i} P i, the hash function operation unit, a means for generating an integer c by entering Y, the arithmetic Means for calculating z _i = r _i −cs _i in the arithmetic unit and means for outputting (c, z ₁ ,..., Z _n ) in the output unit; The finite group G used in the certification apparatus to prove the knowledge of s _i for the original X _i which is information necessary force has been proven, integer n, based on P _i, based on X which is a s _i P _i of the finite group G c and z ₁ ,... output using _i and their values. . . , Z _n input unit, output unit, group addition operation unit, scalar multiplication operation unit, hash function operation unit, comparison unit, knowledge of s _i for element X _i that is necessary information for proof input a verification apparatus comprising means for verifying, P ₁ to the hash function operation unit of the verification device, ..., type P _n, a means for generating an integer e _'i, the verification device in the group adder and scalar multiplication unit _{Y '= Σ i e' i} (z i P i + cX i) means for calculating a, the Y in the hash function operation unit of the verification device 'integral to input c' Generating means, means for determining whether the input c and the calculated c ′ are equal in the comparison unit of the verification device, and outputting the determination result in the output unit of the verification device And means.

The invention according to claim 11 is provided with an input unit for inputting initial information, a transmission unit, a reception unit, a random number generation unit for generating random numbers, a group addition operation unit, a scalar multiplication operation unit, and an arithmetic operation unit, The verification device includes an input unit, an output unit, a transmission unit, a reception unit, a random number generation unit, a group addition operation unit, a scalar multiplication operation unit, and a comparison unit, and the verification device and the verification device connected to each other via a communication line. A batch proof verification method to be used, wherein the input unit of the proof device inputs a certain finite group G, a certain integer n of 2 or more, n elements P _i of G, and n integers s _i ; The random number generation unit of the proving device generates a random number r _i (i = 1,..., N), and Y = Σ _i r by the group addition operation unit of the proving device and the scalar multiplication operation unit of the proving device. the _i P _i calculated, a step of transmitting portions of the proving device transmits the Y, wherein Receiver proof apparatus receives the Y, the random number _{e i (i = 1, ...} , n) the random number generator consists of an integer from 0 to less than 2 ^t of the verification device generates, the verification device A step of transmitting a random number e _i from the transmitting unit; a receiving unit of the proving device receives the random number e _i, and z _i = (r _i −e _i s _i ) is calculated by an arithmetic operation unit of the proving device; wherein the step of transmitting portions of the proving device transmits the z _i, the use of the group adder and scalar multiplication portion of the verification device calculates the _{Y '= Σ i z i P} i + e i X i, the verification And a step of determining whether or not the received Y is equal to the calculated Y ′.

The invention described in claim 12 includes an input unit, an output unit, a random number generation unit, a group addition operation unit, a scalar multiplication operation unit, a hash function operation unit, and an arithmetic operation unit, and is an element necessary for input proof. A proof device for proving knowledge of s with respect to X _i , wherein at the input unit, a certain finite group G, a certain integer n of 2 or more, n integers s _i , and n elements P _i (i of G) = 1, 2,..., N), means for inputting element X _i which is s _i P _i of finite group G, and random number r _i (i = 1,. , a means for generating an n), means for calculating a Y = Σ _i r _i P _i by the group addition operation unit and the scalar multiplication unit, P ₁ to the hash function operation unit, ..., the P _n type, generates an integer e, further comprising means for generating a numerical value c to input Y, in the arithmetic unit, z ^_i = r _i -e _i It means for calculating a _{s i, (c, z 1} , ..., z n) in the output section and having a means for outputting, a.

The invention described in claim 13 includes an input unit, an output unit, a random number generation unit, a group addition operation unit, a scalar multiplication operation unit, a hash function operation unit, and an arithmetic operation unit, and the input unit is a finite group G. An integer n greater than or equal to 2, n integers s _i , n elements P _i of G (i = 1, 2,..., N), elements X _i that are s _i P _i of a finite group G Y = Σ _i r _i by means for inputting, means for generating random numbers r _i (i = 1,..., N) that are integers from the random number generation unit, and the group addition calculation unit and scalar multiplication calculation unit Means for calculating P _i , means for inputting P ₁ ,..., P _n to the hash function computing unit, generating an integer e, and inputting Y to generate a numerical value c; in the calculating portion, means for calculating a ^{_{z i = r i -e i cs}} i, at the output section _{(c, z 1, ...,} z n) and means for outputting, the And, the finite group G used in the certification apparatus to prove the knowledge of s with respect to the original X _i which is necessary information to the input proven integer n, the integer s _i, based on P _i, of the finite group G s _i P _i C, z ₁ ,... Output using these elements X _i and their values. . . , Z _n input unit, output unit, group addition operation unit, scalar multiplication operation unit, hash function operation unit, comparison unit, knowledge of s _i for element X _i that is necessary information for proof input a verification apparatus comprising means for verifying, P ₁ to the hash function operation unit of the verification device, ..., type P _n, a means for generating an integer e, the group addition of the verification device 'means for calculating a _{= Σ i z i P i +} e i cX i, Y to the hash function operation unit of the verification device' Y in the calculating portion and the scalar multiplication unit and means for generating the integer c 'to input Means for determining whether or not the input numerical value c and the calculated integer c ′ are equal in the comparison unit of the verification device, and means for outputting the determination result in the output unit of the verification device. It is characterized by having.

  The invention according to claim 14 is a batch certification verification system, wherein the certification device according to claim 2 and the verification device according to claim 3 are connected by a communication line, and the certification device according to claim 2 and the billing Item 4. Batch verification is performed by transmitting and receiving data between verification devices according to item 3.

  The invention according to claim 15 is a batch certification verification program, characterized in that the batch certification verification method according to any one of claims 1, 6 and 11 is described as a computer program executable by a computer. .

  According to the first, sixth, and 14th aspects of the present invention, it is possible to make n + 1 integers to be sent to the verifier simply by obtaining the information Y and Y 'necessary for the proof.

  According to the second, fourth, seventh, ninth, and twelfth aspects of the invention, one piece of information Y required for proof verification can be obtained.

  According to the third, fifth, eighth, tenth and thirteenth aspects of the present invention, one piece of information Y 'required for proof verification can be obtained.

According to the eleventh aspect of the present invention, proof verification can be performed only by generating the random number e _i .

  According to the fifteenth aspect of the present invention, the batch certification verification method according to any one of the first, sixth, and eleventh aspects can be described as a computer program.

  Further, in detail, the verification device according to claim 7 and the verification device according to claim 8 are connected by a communication line, and the verification device according to claim 7 and the verification according to claim 8 are connected. A batch certification verification system that performs batch certification verification by transmitting and receiving data between devices can also be configured.

  Furthermore, in the verification device according to claim 4 and the verification device according to claim 5, or the verification device according to claim 9 and the verification device according to claim 10, data is transmitted and received between the verification device and the verification device. It is possible to configure a batch certification verification system that performs batch verification even if it is not necessary.

  As described above, according to the first, second, third, sixth, seventh, eighth, and 14th inventions, it is possible to improve the efficiency of calculation processing and communication amount in proof verification.

  According to the inventions of the fourth, fifth, ninth, tenth, twelfth and thirteenth aspects, it is possible to improve the efficiency of arithmetic processing in proof verification.

  According to the eleventh aspect of the invention, the number of communications between the proving apparatus and the verification apparatus can be reduced compared to the batch proof verification method according to the sixth aspect.

  According to the fifteenth aspect of the present invention, it is possible to provide a computer program that implements the batch certification verification method according to any one of the first, sixth, and eleventh aspects.

  This can contribute to the information security technology field.

  Hereinafter, the present embodiment will be described in detail based on the drawings.

[First Embodiment]
The system of the first embodiment is a system for proving and verifying the knowledge of s, and for elements P _i and X _i of a finite group G of order q (i = 1,..., N). , X _i = sP _i is a method of proving to others that there is an integer s of 0 or more and less than q without giving information that can significantly determine s. Note that n is an integer of 2 or more.

  The apparatus configuration of the batch certification verification system in the first embodiment will be described with reference to FIG.

  The batch certification verification system includes a certification device (for example, a personal computer) 1 and a verification device (for example, a personal computer) 2, which are communication lines (for example, an IP (Internet Protocol) network) that can transmit and receive data to and from each other. It is assumed that 100 is connected.

  The proving device 1 includes an input unit 11 for inputting initial information, a transmission unit 12, a reception unit 13, a random number generation unit 14 for generating random numbers, a group addition operation unit 15, a scalar multiplication operation unit 16, and an arithmetic operation unit 17. .

  The verification device 2 includes an input unit 21, an output unit 22, a transmission unit 23, a reception unit 24, a random number generation unit 25, a group addition calculation unit 26, a scalar multiplication calculation unit 27, and a comparison unit 28.

  Although not shown, the proving device 1 and the verification device 2 include a general-purpose storage unit (for example, a memory or a hard disk device) that stores data and program codes in the following calculations and processes. The proving device 1 and the verification device 2 may include a CPU (Central Processing Unit) that controls each unit. The random number generation unit 14 and the random number generation unit 25 may include a random number generation device. The four arithmetic operation units 17 also process the remainder calculation. The group addition operation unit (for example, the group addition operation units 15 and 26) is a unit that performs an addition operation in the group operation.

First, the verification device 2 inputs initial information (G, q, n, P _i , X _i ) from the input unit (for example, an input unit including a keyboard device) 21, and then receives 0 or more 2 ^t from the random number generation unit 25. A random number e _i (i = 1,..., N) consisting of an integer less than is obtained, and the transmission unit 23 is used to transmit the random number e _i to the proving device 1. Note that t is a security parameter and is a natural number satisfying 2 ^t ≦ q. For example, t = 160. Obtained and input initial information from initial information management means (for example, a database device or a memory) provided in the verification device 2 and managing initial information (G, q, n, P _i , X _i ) stored in the storage unit You may input into the part 21. FIG.

Subsequently, the proving device 1 inputs initial information (G, q, n, s, P _i ) from the input unit (for example, an input unit including a keyboard device) 11, and then the random number e _i transmitted by the verification device 2. Is received from the receiving unit 24, a random number r consisting of an integer of 0 or more and less than q is obtained from the random number generating unit 25, and Y = Σ _i re _{i Pi} is calculated by the group addition calculating unit 26 and the scalar multiplication calculating unit 27. , Y is transmitted from the transmission unit 12 to the verification device 2. Note that even if the initial information is obtained from the initial information management means that manages the initial information (G, q, n, s, P _i ) that is provided in the proof device 1 and is stored in the storage unit, the initial information may be input to the input unit 11. good.

Subsequently, after receiving Y from the receiving unit 24, the verification device 2 obtains a random number c consisting of an integer between 0 and less than 2 ^t from the random number generating unit 25, and transmits the random number c from the transmitting unit 23 to the proving device 1. .

  Subsequently, after receiving the random number c, the proving device 1 calculates z = (r−cs) mod q by the four arithmetic operation unit 17 and transmits z to the verification device 2 from the transmission unit 12. Note that z is a remainder obtained by dividing r-cs by q. That is, z is an integer of 0 or more and less than q.

Finally, the verification device 2 receives z by the receiving unit 24, calculates Y ′ = Σ _i e _i (zP _i + cX _i ) by the group addition calculating unit 26 and the scalar multiplication calculating unit 27, and the comparing unit 28 A determination result as to whether Y and Y ′ are equal is obtained, and the determination result is output from the output unit 22.

As described above, in the first embodiment, the proof and verification procedure method that there exists an integer s greater than or equal to 0 and less than q such that X _i = sP _i has been described, but the part that can be generated and calculated in advance May be performed in advance without following the above procedure.

  For example, it is clear that the random number c generated by the verification device can be generated before Y is received from the proving device.

The range of random numbers is not limited to the first embodiment. For example, c may be taken from an integer of 0 or more and less than q, and r may be taken from an integer of 0 or more and less than ^2t .

Further, any of e _i may be 1, and as a device for further reducing the transmission data length, e ₂ ,. . . , E _n can also be automatically determined from the random number e _1.

For example, e ₁ = 1, e ₂ is a random number e, and for i> 2, e _i = e ⁱ mod q, or H is an arbitrary input and outputs an integer from 1 to less than 2 ^t. If e _i = H (e‖i), etc. (where “‖” means data concatenation), the verification device does not need to send all (e ₁ ,..., E _n ), Only e ₂ is generated and transmitted to the proving device, and (e ₁ , e ₃ ,..., e _n ) may be generated by the proving device and the verification device, respectively.

[Second Embodiment]
In the first embodiment, the method in which the proof device and the verification device perform proof verification interactively has been described. In the second embodiment, a method in which the proof device and the verification device perform proof verification in a non-interactive manner will be described.

As in the first embodiment, the second embodiment is a method for proving and verifying the knowledge of s, and for the elements P _i and X _i of a finite group G of order q (i = 1, , N), a method of proving to others that there is an integer s greater than or equal to 0 and less than q such that X _i = sP _i , without giving information that can significantly determine s. is there. Note that n is an integer of 2 or more.

  The apparatus configuration of the batch certification verification system in the second embodiment will be described with reference to FIG.

  The batch proof verification system includes a proof device 3 and a verification device 4.

  The proving device 3 includes an input unit 31, an output unit 32, a random number generation unit 33, a group addition operation unit 34, a scalar multiplication operation unit 35, a hash function operation unit 36, and an arithmetic operation unit 37.

  The verification device 4 includes an input unit 41, an output unit 42, a group addition calculation unit 43, a scalar multiplication calculation unit 44, a hash function calculation unit 45, and a comparison unit 46.

  Although not shown, the proving device 3 and the verification device 4 include a general-purpose storage unit (for example, a memory or a hard disk device) that stores data in the following calculation and processing. The proving device 3 and the verification device 4 may include a CPU that controls each unit. The random number generation unit 33 may include a random number generation device. The four arithmetic operation unit 37 also processes the remainder calculation. The group addition operation unit (for example, the group addition operation units 34 and 43) is a unit that performs an addition operation in the group operation.

  Note that, unlike the first embodiment, proof verification can be performed in a non-interactive manner, so the proof device 3 and the verification device 4 do not need to be able to transmit and receive data to and from each other. Therefore, the transmission unit and the reception unit are not necessary. Information output from the certification device 3 may be stored in a recording medium (for example, a recording medium such as a CD-ROM (Compact Disk Read Only Memory)), and the verification device 4 may input the information as necessary. .

  Below, the procedure which the certification | authentication apparatus 3 and the verification apparatus 4 perform is demonstrated.

First, the proving device 3 inputs initial information (G, q, n, s, P _i ) from an input unit (for example, an input unit including a keyboard device) 31, and then i = 1, . . . , N, e _i = H (q‖n‖P ₁ ‖... ‖P _n ‖i) is calculated. Here, H is a hash function that takes a bit string within a certain range as input and outputs an integer between 0 and q, and “‖” is a symbol that signifies data concatenation. The initial information may be obtained from the initial information management means that manages the initial information (G, q, n, s, P _i ) that is provided in the proving device 3 and stored in the storage unit, and may be input to the input unit 31.

Subsequently, the random number generation unit 33 generates a random number r that is an integer greater than or equal to 0 and less than q, the group addition operation unit 34 and the scalar multiplication operation unit 35 calculate Y = Σ _i e _i rP _i , and the hash function operation unit 36, c = H (q‖n‖P ₁ ‖... ‖P _n ‖Y) is calculated, z = (r−cs) mod q is calculated by the four arithmetic operation unit 37, and (c, z) is calculated. Output from the output unit 32.

In response to this, the verification device 4 receives initial information (G, q, n, etc.) from an input unit (for example, an input unit including a keyboard device, an input unit including a communication line connected to a storage unit storing initial information) 41. After inputting P _i , X _i , c, z), the hash function calculation unit 45 calculates e ′ _i = H (q‖n‖P ₁ ‖... ‖P _n ‖i), and group addition operation the parts 43 and scalar multiplication calculation portion 44 calculates the _{Y '= Σ i e' i} (zP i + cX i), from the hash function operation unit 45 c '= H (q‖n‖P ₁ ‖ · · · ‖P _n ‖Y ') was calculated, c and c by the comparison unit 46' determines whether or not equal to the output from the output unit 42 the determination result. The initial information is obtained from the initial information management means that is provided in the verification device 4 and manages the initial information (G, q, n, P _i , X _i , c, z) stored in the storage unit. May be entered.

As described above, in the second embodiment, the method for performing non-dialogue proof and verification procedure for the existence of an integer s greater than or equal to 0 and less than q such that X _i = sP _i has been described. The point of the form is to generate a random number e _i from the initial information using a hash function. In the second embodiment, e _i = H (q‖n‖P ₁ ‖... ‖P _n ‖i), but the input of the hash function may be this partial data or there may be additional data. . As similarities to the first embodiment, e ₁ = 1, e ₂ = e = H (q （n‖P ₁ ‖... P _n ), e _i = e ⁱ mod q (i = 3,. .., n) as may be generated by e _i.

[Third Embodiment]
The third embodiment, the original P _i of the finite group G of a position number q, the original _{X i (i = 1, ...} , n), and made such 0 or X _i = s _i P _i In this method, the existence of an integer s _i less than q is proved to another person without giving information that can significantly determine s _i . Note that n is an integer of 2 or more.

  The apparatus configuration of the batch certification verification system according to the third embodiment is the same as that shown in FIG. In the following description, the description of the same reference numerals as those in FIG. 1 is omitted.

First, the verification device 2 inputs initial information (G, q, n, P _i , X _i ) from the input unit 21, and then a random number e _i (i) consisting of an integer between 0 and less than 2 ^t by the random number generation unit 25. = 1,..., N), and e _i is transmitted from the transmitting unit 23 to the proving device 1.

Subsequently, after the initial information (G, q, n, s _i , P _i ) is input from the input unit 11, the proving device 1 receives e _i transmitted from the verification device 2 from the receiving unit 13 and generates a random number. A random number r _i (i = 1,..., N) consisting of an integer greater than or equal to 0 and less than q is obtained from the unit 14, and Y = Σ _i r _i e _i P by the group addition operation unit 15 and the scalar multiplication operation unit 16. _i is calculated, and Y is transmitted from the transmission unit 12 to the verification device 2.

Subsequently, after receiving Y from the receiving unit 24, the verification device 2 obtains a random number c consisting of an integer between 0 and less than 2 ^t from the random number generation unit 25, and transmits the random number c from the transmission unit 23 to the proving device 1.

Subsequently, after receiving the random number c, the proving device 1 calculates z _i = (r _i −cs _i ) mod q by the four arithmetic operation unit 17, and transmits z _i from the transmission unit 12 to the verification device 2.

Finally, either the verification device 2, from the group adder 26 and a scalar multiplication unit 27 Y '= Σ _i e _i a _{(z i P i + cX i} ) calculates, Y and Y from the comparison section 28' of equal A determination result of whether or not is obtained, and the determination result is output from the output unit 22.

[Fourth Embodiment]
In the third embodiment, the method in which the proof device and the verification device perform proof verification interactively has been described. In the fourth embodiment, a method in which the proof device and the verification device perform proof verification in a non-interactive manner will be described.

In the fourth embodiment, as in the third embodiment, for elements P _i and X _i of a finite group G of order q (i = 1,..., N), X _i = s _i P _This is a method for proving to others that there is an integer s _{i that} is greater than or equal to 0 and less than q that is _i , without giving information that can significantly determine s _i . Note that n is an integer of 2 or more.

  The apparatus configuration of the batch certification verification system according to the fourth embodiment is the same as that shown in FIG. In the following description, the description of the same reference numerals as those in FIG. 2 is omitted.

  Below, the procedure which the certification | authentication apparatus 3 and the verification apparatus 4 perform is demonstrated.

After the initial information (G, q, n, s _i , P _i ) is input from the input unit 31, the proving device 3 receives i = 1,. . . , N, e _i = H (q ‖n ‖P ₁ ‖... ‖P _n ‖i) is calculated, the random number generator 33 generates a random number r _i that is an integer greater than or _equal to 0 and less than q, and the group addition the arithmetic unit 34 and the scalar multiplication calculation portion 35 calculates the _{Y = Σ i e i r i} P i, the hash function operation unit 36 c = H (q‖n‖P ₁ || ··· ‖P _n ‖Y) And the arithmetic operation unit 37 calculates z _i = (r _i −cs _i ) mod q, and outputs (c, z _i ,..., Z _n ) from the output unit 32.

In response to this, the verification device 4 inputs initial information (G, q, n, P _i , X _i , c, z ₁ ,..., Z _n ) from the input unit 41 and then the hash function calculation unit 45. E ′ _i = H (q ‖n‖P ₁ ‖... ‖P _n ‖i) is calculated, and Y ′ = Σ _i e ′ _i (z _i ) is calculated by the group addition operation unit 43 and the scalar multiplication operation unit 44. P _i + cX _i ), c ′ = H (q‖n‖P ₁ ‖... P _n ‖Y ′) is calculated by the hash function calculation unit 45, and c and c ′ are calculated by the comparison unit 46. It is determined whether or not they are equal, and the determination result is output from the output unit 42.

[Fifth Embodiment]
The fifth embodiment has the same initial conditions and apparatus configuration as the third embodiment.

First, after the initial information (G, q, n, s _i , P _i ) is input from the input unit 11, the proving apparatus 1 receives a random number r _i (i = i = n) that is an integer from 0 to less than q from the random number generation unit 14. 1, ..., with the n), calculates the Y = Σ _i r _i P _i by the group addition unit 15 and the scalar multiplication unit 16, and transmitted from the transmission unit 12 a Y to the verification device 2.

Subsequently, after receiving Y from the receiving unit 24, the verification device 2 obtains a random number e _i (i = 1,..., N) composed of an integer of 0 or more and less than 2 ^t from the random number generation unit 25 and transmits it. The random number e _i is transmitted from the unit 23 to the proving device 1.

Subsequently, after receiving the random number e _i , the proving device 1 calculates z _i = (r _i −e _i s _i ) mod q by the four arithmetic operation unit 17 and transmits z _i from the transmission unit 12 to the verification device 2. To do.

Finally, the verification apparatus 2, using the group addition operation unit 26 and a scalar multiplication unit 27 'calculates a _{= Σ i z i P i +} e i X i, Y and Y with the comparison unit 28' Y is A determination result of whether or not they are equal is obtained, and the determination result is output from the output unit 22.

  As described above, the fifth embodiment requires fewer communication times between the proving device and the verification device than the third embodiment.

[Sixth Embodiment]
The sixth embodiment is a method for performing the fifth embodiment in a non-interactive manner. The apparatus configuration is the same as in FIG.

First, after the initial information (G, q, n, s _i , P _i , X _i ) is input from the input unit 31, the proving device 3 receives a random number r _{i that} is an integer from 0 to less than q from the random number generation unit 33. (i = 1, ..., n ) to generate, compute the Y = Σ _i r _i P _i by the group addition unit 34 and the scalar multiplication calculation portion 35, then by the hash function operation unit 45 e = H (q‖n‖P ₁ || ··· ‖P _n ‖X ₁ || ··· ‖X _n ‖Y) was calculated, z _i = the arithmetic unit ^{_{37 (r i -e i s i}} ) mod q And (e, z ₁ ,..., Z _n ) is output from the output unit 32.

In response to this, the verification apparatus 4 inputs initial information (G, q, n, P _i , X _i , e ₁ , z ₁ ,..., Z _n ) from the input unit 41 and then the group addition operation unit 43. and 'calculates a _{= Σ i z i P i +} e i X i, the hash function operation unit 45 e' Y by the scalar multiplication unit 44 = H (q‖n‖P ₁ || ··· ‖P _n ‖X ₁ ‖... ‖X _n ‖Y ′), the comparison unit 46 determines whether e and e ′ are equal, and outputs the determination result from the output unit 42.

[Seventh Embodiment]
The seventh embodiment is a method of batch processing zero knowledge proofs described in Non-Patent Document 3, which is an application example of the fourth embodiment. The apparatus configuration is the same as in FIG.

In Non-Patent Document 3, it is necessary to perform zero knowledge proof for data similar to the following: finite groups G, G elements P, Q, Q ′, P _i , Q _i , X _i , Y of a certain order q _i , Z _i , P ′ _i , Q ′ _i , X ′ _i , Y ′ _i (i = 1,..., n). Here, Z _i = x _i P + w _i Q ′, P ′ _i = s _i + x _i P _i , Q ′ _i = s _i Q + x _i Q, X ′ _i = t _i P + x _i X _i , Y ′ = t _i Q + x _i Y _i , and s _i , t _i , w _i , and x _i are secret integers. That is, the prover proves s _i , t _i , w _i , and x _i . In the application shown in Non-Patent Document 3, n is considered to be very large. Therefore, reducing the calculation cost and the communication cost is important in terms of increasing the feasibility of the application.

Hereinafter, a processing procedure for proving knowledge of s _i , t _i , w _i , and x _i will be described.

The proving device 3 receives initial information (G, q, P, Q, Q ′, P _i , Q _i , X _i , Y _i , Z _i , P ′ _i , Q ′ _i , X ′ _i , Y ′ _i , s _i , t _i , w _i , x _i ) are input (i = 1,..., N), and then e _i = H (q‖n‖P using the hash function calculation unit 36. ‖Q‖Q'‖XX‖i) was calculated, integers become random number a from 0 to less than using a random number generation unit 33 q, b, d, produces a r _i, the group addition operation unit 34 and the scalar multiplication the arithmetic unit 35 A = bQ '+ (Σ i r i) P, B = aP + Σ i e i r i P i, C = aQ + Σ i e i Q i, D = cP + Σ i e i r i X i, E = _{dQ + Σ i e i r i} Y i is calculated and calculates a c = H (A‖B‖C‖D‖E) by the hash function operation unit 36, z ₁ by the arithmetic unit 37, _i = (r i - _{e i cx i) mod q,} z 2 = (b-c (Σ i _{i w i)) mod q,} z 3 = (a-c (Σ i e i s i)) mod q, z 4 = (d-c (Σ i e i t i)) a mod q is calculated, ( c, z _{1, i} ,..., z ₁ , n, z ₂ , z ₃ , z ₄ ) are output from the output unit 32. Here, XX represents i = 1,. . . , N, let P _i , Q _i , X _i , Y _i , Z _i , P ′ _i , Q ′ _i , X ′ _i , Y ′ _i be arranged data.

In response to this, the verification apparatus 4 receives initial information (G, q, P, Q, Q ′, P _i , Q _i , X _i , Y _i , Z _i , P ′ _i , Q ′ _i from the input unit 41. , X ′ _i , Y ′ _i ), ei is calculated by the hash function calculation unit, and A ′ = (Σ _i z _{1, i} ) P + z ₂ is calculated by the group addition calculation unit 43 and the scalar multiplication calculation unit 44. _{Q '+ Σ i e i Z} i, B' = z 3 P + Σ i z i, 1 P i + e i cX 'i, C' = z 3 Q + Σ i z 1, i Q i + e i cQ 'i, D' = _{z 4 P + Σ i z 1} , i X i + e i cX 'i, E' = z 4 ' computes the _i, c by the hash function operation unit _{45' Q + Σ i z 1} , i Y i + e i cY = (a ' (B′‖C′‖D′‖E ′) is calculated, the comparison unit 46 determines whether c and c ′ are equal, and the determination result is output from the output unit 42.

  A storage medium storing software program codes for realizing the functions of the first to seventh embodiments is supplied to a system or apparatus, and a CPU (Central Processing Unit) or MPU (Microprocessing Unit) of the system or apparatus is provided. It can also be realized by reading and executing the program code stored in the storage medium.

  As described above, the first to seventh embodiments are based on the following basic principle.

For an element P _i , element X _i (= s _i P _i ) of a finite group G of order q (i = 1,..., N; s _i is an integer between 0 and less than q), a prover And the verifier performs the following procedure. The element X _i is information that the prover needs for proof.

  First, the prover performs the following procedure.

Procedure 1 generates n integers r _i that are greater than or equal to 0 and less than q.

The procedure 2 calculates e ₁ = 1, e _i = H (P ₁ ‖... ‖P _n ‖X ₁ ‖... X _n ‖i). Here, H is a one-way hash function copied to an integer of 0 or more and less than q.

Procedure 3 calculates Y = Π _i e _i r _i P _i .

Procedure 4 calculates c = H (P ₁ || ··· ‖P _n ‖X ₁ || ··· ‖X _n ‖e ₁ || ··· ‖e _n ‖Y).

Procedure 5 calculates z _i = r _i −cs _i .

The procedure 6 outputs (c, z ₁ ,..., Z _n ).

Then, the verifier performs the following procedure with P _i , X _i , (c, z ₁ ,..., Z _n ) as inputs.

The procedure 1 calculates e ′ ₁ = 1, e ′ _i = H (P ₁ ‖... ‖P _n ‖X ₁ ‖... X _n ‖i).

The procedure 2 checks whether Y = Σ _i e ′ _i (z _i P _i + cX _i ) holds, and if so, determines that the prover knows s _i .

  Although the embodiments of the present invention have been described above, the present invention is not limited to the described embodiments, and various modifications can be made within the scope described in each claim.

  For example, the input unit of the proof device, the input unit and the output unit of the verification device in the first and third embodiments may be integrated into the reception unit of the verification device, the reception unit of the verification device, and the transmission unit, respectively. That is, initial information can be input via the network and output can be sent via the network.

The apparatus block diagram of the batch certification verification system in 1st, 3rd, 5th embodiment. The apparatus block diagram of the batch certification verification system in 2nd, 4th, 6th, 7th embodiment.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1,3 ... Proof device 11, 21, 31, 41 ... Input part 12, 23 ... Transmission part 13, 24 ... Reception part 14, 25, 33 ... Random number generation part 15, 26, 34, 43 ... Group addition calculating part 16 , 27, 35, 44 ... scalar multiplication unit 17, 37 ... four arithmetic units 2, 4 ... verification device 22, 32, 42 ... output unit 28, 46 ... comparison unit 36, 45 ... hash function calculation unit 100 ... communication line

Claims (15)

The proving device includes an input unit for inputting initial information, a transmission unit, a reception unit, a random number generation unit for generating random numbers, a group addition operation unit, a scalar multiplication operation unit, and four arithmetic operation units,
The verification device includes an input unit, an output unit, a transmission unit, a reception unit, a random number generation unit, a group addition operation unit, a scalar multiplication operation unit, and a comparison unit.
A batch proof verification method using the verification device and the verification device connected to each other via a communication line,
The input unit of the proving device inputs a certain finite group G, a certain integer n of 2 or more, n elements P _i of G, and an integer s;
The input unit of the verification device inputs the element X _i which is the finite group G, the integer n, the element P _i and the sP _i of the n finite groups G;
A random number generation unit of the verification device generates n integers e _i (i = 1,..., N), and a transmission unit of the verification device transmits the integers e _i to the certification device;
The reception unit of the proving device receives the integer e _i , the random number generation unit of the proving device generates an integer r, and the group addition operation unit and the scalar multiplication operation unit of the proving device are Y = Σ _i re _i P calculating _i , obtaining Y, and transmitting the Y to the verification device by the transmission unit of the verification device;
A receiving unit of the verification device receives Y, a random number generation unit of the verification device generates an integer c, and a transmission unit of the verification device transmits the integer c to the verification device;
The receiving unit of the proving device receives the integer c, the four arithmetic operation units of the proving device calculate z = r−cs to obtain z, and the transmitting unit of the proving device transmits the z to the verification device. Steps,
The receiving unit of the verification device receives z, and the group addition operation unit and the scalar multiplication operation unit of the verification device calculate Y ′ = Σ _i e _i (zP _i + cX _i ) to obtain Y ′, and the verification Obtaining a determination result of whether or not the received Y and the calculated Y ′ are equal by the comparison unit of the device, and outputting the determination result from the output unit of the verification device;
A batch proof verification method characterized by comprising: An input unit for inputting initial information, a transmission unit, a reception unit, a random number generation unit for generating random numbers, a group addition operation unit, a scalar multiplication operation unit, an arithmetic operation unit,
A proof device that proves knowledge of s for an element X _i that is information necessary for input proof,
Means for inputting a certain finite group G, a certain integer n of 2 or more, n elements P _i of G, and an integer s at the input unit;
The reception unit receives an integer e _i , causes the random number generation unit to generate an integer r, calculates Y = Σ _i re _i P _i in the group addition operation unit and scalar multiplication operation unit, finds Y, Means for transmitting the Y in the transmission unit;
Means for receiving an integer c at the receiving unit, calculating z = r−cs at the four arithmetic operation units to obtain z, and transmitting the z at the transmitting unit;
A proving device comprising: An input unit for inputting initial information, a transmission unit, a reception unit, a random number generation unit for generating random numbers, a group addition operation unit, a scalar multiplication operation unit, an arithmetic operation unit,
Means for inputting a certain finite group G, a certain integer n of 2 or more, n elements P _i of G, and an integer s less than, at the input unit;
Receiving the integer e _i from the reception unit, causing the random number generation unit to generate an integer r, calculating Y = Σ _i re _i P _i in the group addition operation unit and the scalar multiplication operation unit, obtaining Y; Means for transmitting the Y in the transmission unit;
Means for receiving the integer c at the receiving unit, calculating z = r−cs at the four arithmetic operation units to obtain z, and transmitting the z at the transmitting unit;
Have
Element X which is sP _i of finite group G, integer n, element P _i and n finite groups G used in the proof device for proving knowledge of s for element X _i which is information necessary for input proof _A verification apparatus comprising an input unit for inputting _i , an output unit, a transmission unit, a reception unit, a random number generation unit, a group addition operation unit, a scalar multiplication operation unit, and a comparison unit,
Means for generating n integers e _i (i = 1,..., N) in the random number generation unit of the verification device, and transmitting the integers e _i in the transmission unit of the verification device;
Means for receiving Y at the receiver of the verification device, generating an integer c at the random number generator of the verification device, and transmitting the integer c at the transmitter of the verification device;
Receiving said z from the receiver of the verification device, by the group addition operation unit of the verification device and the scalar multiplication unit, Y obtains a _{'= Σ i e i (zP} i + cX i) was calculated Y', the verification Means for determining whether the received Y and the calculated Y ′ are equal in the comparison unit of the device, and outputting the determination result from the output unit of the verification device;
The verification apparatus characterized by having. Input unit, output unit, random number generation unit, group addition operation unit, scalar multiplication operation unit, hash function operation unit, four arithmetic operation unit,
A proof device that proves knowledge of s for an element X _i that is information necessary for input proof,
From the input unit, a certain finite group G, an integer n greater than or equal to 2, n elements P _i (i = 1, 2,..., N) of G, an integer s, and sP _i of the finite group G Means for inputting the original X _i ;
Means for causing the random number generator to generate a random number r;
Means for inputting P ₁ ,..., P _n to the hash function computing unit to generate an integer e _i ;
Based on the random number r and the integer e _i , Y = Σ _i e _i rP _i is calculated by the group addition operation unit and the scalar multiplication operation unit, and Y is obtained;
Based on the obtained Y, means for inputting Y to the hash function computing unit and generating a numerical value c;
Means for calculating z = r−cs in the four arithmetic units and obtaining z;
Means for outputting the numerical values c and z at the output unit;
A proof device comprising: Input unit, output unit, random number generation unit, group addition operation unit, scalar multiplication operation unit, hash function operation unit, four arithmetic operation unit,
In the input unit, a certain finite group G, an integer n of 2 or more, n elements P _i (i = 1, 2,..., N) of G, an integer s, and sP _i of the finite group G Means for inputting a certain element X _i ,
Means for causing the random number generator to generate a random number r;
Means for inputting P ₁ ,..., P _n to the hash function computing unit to generate an integer e _i ;
Based on the random number r and the integer e _i , Y = Σ _i e _i rP _i is calculated by the group addition operation unit and the scalar multiplication operation unit, and Y is obtained;
Based on the obtained Y, means for inputting Y to the hash function computing unit and generating a numerical value c;
Means for calculating z = r−cs in the four arithmetic units and obtaining z;
Means for outputting the numerical values c and z at the output unit,
The finite group G, the integer n, the element P _i , the element X _i that is the sP _i of the finite group G, and those used in the proof device that proves the knowledge of s for the element X _i that is information necessary for the input proof An input unit for inputting c and z output using the value of, an output unit, a group addition operation unit, a scalar multiplication operation unit, a hash function operation unit, a comparison unit,
A verification device for verifying knowledge of s with respect to an element X _i which is information necessary for input proof,
Means for inputting P ₁ ,..., P _n to the hash function calculation unit of the verification device to generate an integer e ′ _i ;
Wherein in the group addition operation unit of the verification device and the scalar multiplication unit calculates the _{Y '= Σ i e' i} (zP i + cX i), means for determining Y ',
Means for inputting the obtained Y ′ to the hash function computing unit of the verification device and calculating a numerical value c ′;
Means for determining whether c and c ′ are equal in the determination unit of the verification device;
Means for outputting the determination result at the output unit of the verification device;
A verification apparatus comprising: The proving device includes an input unit for inputting initial information, a transmission unit, a reception unit, a random number generation unit for generating random numbers, a group addition operation unit, a scalar multiplication operation unit, and four arithmetic operation units,
The verification device includes an input unit, an output unit, a transmission unit, a reception unit, a random number generation unit, a group addition operation unit, a scalar multiplication operation unit, and a comparison unit.
A batch proof verification method using the verification device and the verification device connected to each other via a communication line,
The input unit of the proving device inputs a certain finite group G, a certain integer n of 2 or more, n elements P _i of the G, and n integers s _i ;
The input unit of the verification device inputs the element X _i which is the G, n, P _i and the n G s _i P _i ;
The random number generation unit of the verification device generates n integers e _i (i = 1,..., N), and the transmission unit of the verification device transmits the integer e _i to the proving device;
Receiving unit receives the integer e _i of the proving device, the random number generation unit of the proving device generates a n integers r _i, computes the _{Y = Σ i r i e i} P i, the transmitting unit of the proving device Transmitting Y to the verification device;
The receiving unit of the verification device receives Y, the random number generation unit of the verification device generates an integer c, and the transmission unit of the verification device transmits the integer c to the certification device;
A receiving unit of the proving device receives a random number c, an arithmetic operation unit of the proving device calculates z _i = r _i -cs _i, and a transmitting unit of the proving device transmits z _i to the verification device;
The receiving unit of the verification device receives z _i , the group addition operation unit and the scalar multiplication operation unit of the verification device calculate Y ′ = Σ _i e _i (z _i P _i + cX _i ), and the received Y and A step of determining whether the calculated Y ′ is equal by the comparison unit of the verification device;
A batch proof verification method characterized by comprising: An input unit for inputting initial information, a transmission unit, a reception unit, a random number generation unit for generating random numbers, a group addition operation unit, a scalar multiplication operation unit, an arithmetic operation unit,
A proof device that proves knowledge of s for an element X _i that is information necessary for input proof,
Means for inputting a certain finite group G, a certain integer n of 2 or more, n elements P _i of G, and n integers s _i at the input unit;
The reception unit receives an integer e _i , causes the random number generation unit to generate n integers r _i , and calculates Y = Σ _i r _i e _i P _i by the group addition operation unit and the scalar multiplication operation unit. Means for transmitting Y in the transmission unit;
Means for receiving a random number c at the receiving unit, calculating z _i = r _i −cs _i at the four arithmetic operation units, and transmitting z _i at the transmitting unit;
A proving device comprising: An input unit for inputting initial information, a transmission unit, a reception unit, a random number generation unit for generating random numbers, a group addition operation unit, a scalar multiplication operation unit, an arithmetic operation unit,
Means for inputting a certain finite group G, a certain integer n of 2 or more, n elements P _i of G, and n integers s _i at the input unit;
The receiving unit receives the integer e _i , causes the random number generation unit to generate n integers r _i , and calculates Y = Σ _i r _i e _i P _i in the group addition operation unit and scalar multiplication operation unit, Means for transmitting Y at the transmitter;
Means for receiving the random number c at the receiving unit, calculating z _i = r _i −cs _i at the four arithmetic operation units, and transmitting z _i at the transmitting unit, and with the information necessary for the input proof is there based on X _i finite group used in the certification apparatus to prove the knowledge of s with respect to G, are two or more integer n, s _i P _i of n elements P _i and n number of the finite group G of the G A verification device including an input unit, an output unit, a transmission unit, a reception unit, a random number generation unit, a group addition operation unit, a scalar multiplication operation unit, and a comparison unit for inputting an element X _i ,
Means for generating n integers e _i (i = 1,..., N) in the random number generation unit of the verification device, and transmitting the integers e _i in the transmission unit of the verification device;
Receiving Y at the reception unit of the verification device, causing the random number generation unit of the verification device to generate an integer c, and transmitting the integer c at the transmission unit of the verification device;
Receiving said z _i by the receiver of the verification device, wherein in the group addition operation unit and the scalar multiplication portion of the verification device Y '= Σ _i e _i a _{(z i P i + cX i} ) was calculated and the received Y And means for determining by the comparison unit of the verification device whether the calculated Y ′ is equal;
The verification apparatus characterized by having. Input unit, output unit, random number generation unit, group addition operation unit, scalar multiplication operation unit, hash function operation unit, four arithmetic operation unit,
A proof device that proves knowledge of s for an element X _i that is information necessary for input proof,
At the input unit, a finite group G, an integer n greater than or equal to 2, n elements P _i (i = 1, 2,..., N) of G, n integers s _i , s of G and means for inputting the original X _i, which is the _i P _i,
Means for causing the random number generator to generate n random numbers r _i ;
Means for inputting P ₁ ,..., P _n to the hash function computing unit to generate an integer e _i ;
In the group adder and scalar multiplication unit, means for calculating a _{Y = Σ i e i r i} P i,
Means for inputting Y to the hash function computing unit to generate a numerical value c;
Means for calculating z _i = r _i −cs _i in the arithmetic operation unit;
Means for outputting (c, z ₁ ,..., Z _n ) at the output unit;
A proving device comprising: Input unit, output unit, random number generation unit, group addition operation unit, scalar multiplication operation unit, hash function operation unit, four arithmetic operation unit,
At the input unit, a finite group G, an integer n greater than or equal to 2, n elements P _i (i = 1, 2,..., N) of G, n integers s _i , s of G and means for inputting the original X _i, which is the _i P _i,
Means for causing the random number generator to generate n random numbers r _i ;
Means for inputting P ₁ ,..., P _n to the hash function computing unit to generate an integer e _i ;
In the group adder and scalar multiplication unit, means for calculating a _{Y = Σ i e i r i} P i,
Means for inputting Y to the hash function computing unit to generate an integer c;
Means for calculating z _i = r _i −cs _i in the arithmetic operation unit;
Means for outputting (c, z ₁ ,..., Z _n ) at the output unit,
The finite group G used in the certification apparatus to prove the knowledge of s _i for the original X _i with the information necessary to input proven integer n, the original P _i, based on X which is a s _i P _i of the finite group G c and z ₁ ,... output using _i and their values. . . , Z _n input unit, output unit, group addition operation unit, scalar multiplication operation unit, hash function operation unit, comparison unit,
A verification apparatus comprising means for verifying the knowledge of s _i with respect to an element X _i which is information necessary for input proof,
Means for inputting P ₁ ,..., P _n to the hash function calculation unit of the verification device to generate an integer e ′ _i ;
It means for calculating a _{Y '= Σ i e' i} (z i P i + cX i) in the group addition unit of the verification device and the scalar multiplication calculation portion,
Means for generating an integer c ′ by inputting Y ′ into the hash function calculation unit of the verification device;
Means for determining whether the input c and the calculated c ′ are equal in the comparison unit of the verification device;
Means for outputting the determination result at the output unit of the verification device;
The verification apparatus characterized by having. The proving device includes an input unit for inputting initial information, a transmission unit, a reception unit, a random number generation unit for generating random numbers, a group addition operation unit, a scalar multiplication operation unit, and four arithmetic operation units,
The verification device includes an input unit, an output unit, a transmission unit, a reception unit, a random number generation unit, a group addition operation unit, a scalar multiplication operation unit, and a comparison unit.
A batch proof verification method using the verification device and the verification device connected to each other via a communication line,
The input unit of the proving device inputs a certain finite group G, a certain integer n of 2 or more, n elements P _i of the G, and n integers s _i ;
The random number generation unit of the proving device generates a random number r _i (i = 1,..., N), and Y = Σ _i r _i by the group addition operation unit of the proving device and the scalar multiplication operation unit of the proving device. Calculating _Pi, and the transmitting unit of the proving device transmits Y;
The receiving unit of the verification device receives Y, and the random number generation unit of the verification device generates a random number e _i (i = 1,..., N) consisting of an integer between 0 and less than 2 ^t , and the verification device a step of the transmission unit transmits the random number e _i,
The receiving unit of the proving device receives the random number e _i , calculates z _i = (r _i −e _i s _i ) by the four arithmetic operation units of the proving device, and the transmitting unit of the proving device transmits z _i . Steps,
Wherein using the group addition operation unit and the scalar multiplication portion of the verification device Y 'calculates a _{= Σ i z i P i +} e i X i, the comparison unit of the verification device and the calculated Y said received Y' is Determining whether they are equal;
A batch proof verification method characterized by comprising: Input unit, output unit, random number generation unit, group addition operation unit, scalar multiplication operation unit, hash function operation unit, four arithmetic operation unit,
A proof device that proves knowledge of s for an element X _i that is information necessary for input proof,
In the input unit, a certain finite group G, a certain integer n of 2 or more, n integers s _i , n elements P _i of G (i = 1, 2,..., N), finite group G Means for inputting an element X _i that is s _i P _i of
Means for generating random numbers r _i (i = 1,..., N) which are integers from the random number generation unit;
Means for calculating Y = Σ _i r _i P _i by the group addition operation unit and the scalar multiplication operation unit;
Means for generating a numerical value e by inputting Y into the hash function calculation unit;
Means for calculating z _i = r _i −e ⁱ s _i in the arithmetic operation unit;
Means for outputting (e, z ₁ ,..., Z _n ) at the output unit;
A proving device comprising: Input unit, output unit, random number generation unit, group addition operation unit, scalar multiplication operation unit, hash function operation unit, four arithmetic operation unit,
In the input unit, a certain finite group G, a certain integer n of 2 or more, n integers s _i , n elements P _i of G (i = 1, 2,..., N), finite group G Means for inputting an element X _i that is s _i P _i of
Means for generating random numbers r _i (i = 1,..., N) which are integers from the random number generation unit;
Means for calculating Y = Σ _i r _i P _i by the group addition operation unit and the scalar multiplication operation unit;
Means for generating a numerical value e by inputting Y into the hash function calculation unit;
Means for calculating z _i = r _i −e ⁱ s _i in the arithmetic operation unit;
Means for outputting (e, z ₁ ,..., Z _n ) at the output unit;
Has a finite group G used in the certification apparatus to prove the knowledge of s with respect to the original X _i which is necessary information to the input proven integer n, the integer s _i, based on P _i, s _i of the finite group G e, z _1, which is output using the original X _i and their values are P _i. . . , Z _n input unit, output unit, group addition operation unit, scalar multiplication operation unit, hash function operation unit, comparison unit,
A verification apparatus comprising means for verifying the knowledge of s _i with respect to an element X _i which is information necessary for input proof,
It means for calculating a _{Y '= Σ i z i P} i + e i X i in the group addition unit of the verification device and the scalar multiplication calculation portion,
Means for generating an integer e ′ by inputting Y ′ into the hash function computing unit of the verification device;
Means for determining whether or not the input numerical value e and the calculated integer e ′ are equal in the comparison unit of the verification device;
Means for outputting the determination result at the output unit of the verification device;
The verification apparatus characterized by having.   The verification apparatus according to claim 2 and the verification apparatus according to claim 3 are connected by a communication line, and batch verification is performed by transmitting and receiving data between the verification apparatus according to claim 2 and the verification apparatus according to claim 3. A batch proof verification system characterized by performing verification.   12. A batch certification verification program characterized in that the batch certification verification method according to claim 1, is described as a computer program executable by a computer.

Images